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If you are unsure that you have setup your server correctly, or if you are searching for ideas on how to make it 
more armored, here is a suggested checklist : 


Addicted Member 
Past fixed security reports 
Group: Staff 
ee A k ing the latest version! 
Joined: 22-October 03 ways make sure you are running the latest version! 
Gender: Male 
Location: France : Mouy 2005-03-09 : <a href="http://cve.mitre. orq/cgi-bin/cvename.cgi?name=CAN-2005-0690" 
Interests: Science-fiction, World target="_blank">http://cve. mitre. org/cgi-bin/cvename.cgi?name=CAN-2005-0690</a> (modified since v3.5) 
We 2006-05-03 : <a href="http://cve. mitre. orq/cgi-bin/cvename.cgi?name=CVE-2006-2172" 


target="_blank">http://cve. mitre. orq/cai-bin/cvename.cagi?name=CVE-2006-2172</a> (fixed since v3.8) 


Administration / Properties 


- Grant all access to localhost : should be only checked for initial server setup, then once you have created an 
administrator account, uncheck it to disable local user access (should be already off in a multi-users 
environment). 


Administration / IP binding 


- Default administration port is 8021, you can change it to a different value. Do not forget to also change the 
server profile in the administration client. 


Domain / Authentication 

- Max. login sequences : default to 3, after 3 trials of USER/PASS sequence the user will be disconnected 

- Login error delay : default to 3 seconds, if you have many unexpected connection attempts you can increase to 
10s (this will also delay users not entering good login/password because of typo ...) 

- Redirect wrong login : can be used to cheat a robot into thinking it has found a good login/password whereas 
he's logged under the anonymous account. 


Domain / Miscellaneous 


- Anti hammer : if you have angry people knocking at the server doors, enable the anti hammer and see them 
becoming automatically banned for annoying you. 


Domain / Logs and reports 


- Defining a new regular log can show you what is going on on your server, for example you can enable "login", 
"upload", "download", "file deletion" only to have a quick view of what your users are doing. 


Domain / Secure / Options 


- Enable "Block banned IP" so the client does not receive any message knowing why he's banned, he'll just 
think there is a server problem. 


Domain / IP binding 

- Running the server on a non standard port like 10021, 20121 ... can hide you from automated scripts searching 
for public writable FTP servers. 

- Using SSL will encrypt all data that is exchanged between the server and the client. 


User account 


- If you need an anonymous account, never allow read and write access to the same folder with an anonymous 
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account. 

- Using built in password generator will produce 8 random chars passwords, thus it is harder to guess the 
password using brute forcing (it is copied to clipboard). 

- "Regular password stored as MD5" stores a hashed value of the entered password, it can't be decrypted (only 
by brute forcing). 

- Enable "Secure connection only (ssl)" for sensitive accounts containing important data, the user will be forced 
to use an encrypted connection or the server will not log him. You can as well require that the user uses SSL for 
some directory access (see access rights). 

- Set an expiration date for temporary accounts, so you do not forget to disable them later and leave a potential 
entry door. 


User account / Advanced 


- If you do not want your user to have access to certain ftp commands, then disable them : see Advanced / 
Disabled commands (STOR, XCRC, XMD5 ...) 

- PXP, serwer to server should be disabled (by default), except if you expect the user to transfer from/to another 
sener. 


User account / Banned files 

- Define forbidden files filters on your serwer, like *.vbs, *.bat, *.exe 

User account / Time of day access 

- As a company you may only allow access to your server during office hours, define the hour range. 
User account / IP access 


- If required, define the IP access to only allow known hosts/ip (if possible), so if you know your users always 
come from *.thissubnet.com, then just add in the user account a rule "+*.thissubnet.com", this also works with 
ip or dynamic names (enter them between parenthesis "+(bobftp.dyndns.org)"). 

You can also set IP access at domain, FTP Server level or Administration level. 


Service account 


Under Windows XP/2003, you can use the new network service account named NETWORK SERVICE instead of 
LOCAL SYSTEM to increase the server security and reduce access rights of the server process, 2 steps are 
required : 


1) changing senice account : 


- launch Start / Run / serices.msc 

- scroll to "Gene6 FTP Server", right click to open the properties page, click on "Log on" 
- select "This account" and click Browse 

- "Select this object type" should be "User or Built-in security principal" 
- click on "Advanced" 

- click on "Find now' 

- in the list select "NETWORK SERVICE" 

- click on OK 

- click on OK to validate the "Select user" window choice 

- clear the password boxes, then click on OK 

- restart the Service when prompted 


2) allowing NETWORK SERVICE read/write access to Gene6 FTP Sener configuration files : 

- open Explorer and browse to c:\Program Files\Gene6 FTP Server\ 

- right click, open Properties page 

- in page "Securities", add NETWORK SERVICE with full control 

- restart the service to apply changes immediately or wait for the cache to refresh 

Restricting available SSL ciphers 

You can specify which ciphers to use by adding a line in [Domain] section of you domains settings. ini file. 
For instance, to only allow AES256-SHA cipher, add this line in your domain settings. ini file : 

CODE 

SSLCipherList=AES256-SHA 


FTP clients that do not support this cipher won't be able to do SSL handshake with the server. 
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If you want to allow a list of ciphers, separate them by a colon : 
CODE 
SSLCipherList=AES256-SHA:RC4-MD5 
Do not hesitate to post your suggestions to increase security. 
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